diff options
Diffstat (limited to 'pkg/sentry/fs/context.go')
| -rw-r--r-- | pkg/sentry/fs/context.go | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/pkg/sentry/fs/context.go b/pkg/sentry/fs/context.go index 1775d3486..c0e6075e4 100644 --- a/pkg/sentry/fs/context.go +++ b/pkg/sentry/fs/context.go @@ -46,6 +46,11 @@ func ContextCanAccessFile(ctx context.Context, inode *Inode, reqPerms PermMask) p = uattr.Perms.Group } + // Do not allow programs to be executed if MS_NOEXEC is set. + if IsFile(inode.StableAttr) && reqPerms.Execute && inode.MountSource.Flags.NoExec { + return false + } + // Are permissions satisfied without capability checks? if p.SupersetOf(reqPerms) { return true |